如何摆脱"hoe头"漏洞 [英] How to get rid of the ‘hoek’ vulnerabilities

问题描述

我最近将Angular CLI 5应用程序推送到了GitHub，它指示了以下内容:

I recently pushed an Angular CLI 5 application to GitHub and it indicated the following:

We found a potential security vulnerability in one of your dependencies.
A dependency defined in net-incident/package-lock.json has known security vulnerabilities and should be updated.
Dependencies defined in net-incident/package-lock.json 816
hapijs / hoek Known security vulnerability in 2.16.3

我已经查看了'npm audit'的输出并执行了各种更新，包括以下内容(不建议这样做):

I have gone through the output from ‘npm audit’ and executed the various updates, including the following (which was not suggested):

npm install --save-dev request@2.86.0

npm install --save-dev request@2.86.0

请求"包中包含鹰"，其中包含"hoe".当我查看node_modules中的"request"包时，版本已更改.但是来自"npm审核"的以下两个更新似乎无能为力:

The ‘request’ package contains ‘hawk’ which contains ‘hoek’. When I look at the ‘request’ package in node_modules the version has changed. But the following two updates from ‘npm audit’ do not seem to do anything:

npm更新fsevents-深度4 npm更新stringstream-深度5

npm update fsevents --depth 4 npm update stringstream --depth 5

我剩下以下内容:

[!] 33 vulnerabilities found [12201 packages audited]
    Severity: 5 Low | 24 Moderate | 4 High
    Run `npm audit` for more detail

许多漏洞如下:

Moderate        Prototype pollution
Package         hoek
Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of   karma
Path            karma > log4js > loggly > request > hawk > boom > hoek
More info       https://nodesecurity.io/advisories/566

最后，该应用程序无法编译，因此我替换了包和锁定文件，现在回到了开头.我真的很想解决安全问题.如何摆脱讨厌的"hoek"漏洞?

In the end, the application would not compile, so I replaced the the package and lock files, and now I am back to the beginning. I really want to fix the security issues. How do I get rid of the pesky ‘hoek’ vulnerabilities?

推荐答案

我很耐心，他们解决了这个问题:

I was patient and they fixed the problem:

npm update karma@latest

应该工作.

这篇关于如何摆脱"hoe头"漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！